Generally, doctor to doctor sharing of protected health information (PHI) is permitted under the HIPAA regulations.

When Is Doctor to Doctor Sharing of PHI Permitted Under HIPAA?

Under the HIPAA Privacy Rule, a covered entity may disclose PHI to facilitate treatment, payment, or healthcare operations (TPO) without a patient’s express written authorization.  Any other disclosure of PHI requires the covered entity to obtain and store written authorization from the individual for the disclosure. 

The Privacy Rule allows doctors, nurses, hospitals, laboratory technicians, and other healthcare providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes, without having to obtain the patient’s written authorization. 

“Treatment” generally means the provision, coordination, or management of healthcare and related services among healthcare providers or by a healthcare provider with a third party, consultation between healthcare providers regarding a patient, or the referral of a patient from one healthcare provider to another.

Provision, coordination, or management of healthcare among healthcare providers typically requires doctor to doctor sharing of PHI. Doctors may share PHI information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.

Although doctor to doctor sharing of PHI under HIPAA is permitted, each doctor must make a reasonable effort to disclose only the minimum necessary information required to achieve the specific purpose that requires the sharing. The concept of “disclosure of only the minimum necessary” is embodied in the Privacy Rule’s “Minimum Necessary Standard.”

Covered entities, in implementing the HIPAA minimum necessary standard, are to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI. Entities should also, per the HIPAA minimum necessary standard, develop “use and disclosure” policies and procedures that are appropriate for the organization, and that reflect the entity’s business practices and workforce. 


The covered entity’s HIPAA Minimum Necessary Standard policies and procedures should identify: 

  • The persons or classes of persons within the covered entity who need access to the information to carry out their job duties,
  • The categories or types of protected health information needed, and
  • Conditions appropriate to such access (that is, any condition appropriate for workforce members’ access to, use, or disclosure of PHI).

Need Help with HIPAA?

Let our complete HIPAA solution handle it.